Azure users unable to log in when integrated with Data Center SSO 2.0

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform Notice: Data Center Only - This article only applies to Atlassian products on the data center platform.

Summary

After integrating Data Center with Azure via the Data Center SSO 2.0 plugin, Azure users receive a generic "We can't log you in right now" error message when trying to log into Confluence. 

Environment

  • Azure Active Directory
  • Data Center SSO 2.0 plugin

Diagnosis

For a given user encountering this situation while logging in, the following error appears in the application logs:

2021-12-22 19:01:27,386 ERROR [http-nio-8080-exec-5] [impl.web.filter.ErrorHandlingFilter] logException [UUID: 79a91343-3bf8-4cfb-a562-022612ebe316] Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found
 -- referer: https://login.microsoftonline.com/ | url: /plugins/servlet/samlconsumer | traceId: e905ee736246ea42 | userName: anonymous
com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found
	at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapGroups(SamlUserDataFromIdpMapper.java:56)
	at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapUser(SamlUserDataFromIdpMapper.java:28)
	at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:105)

Investigate the SAML attributes being sent to Confluence by using a tool such as SAML Chrome Panel.  Normally, the SAML reply will contain the following attribute along with a list of groups:

<Attribute Name=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups\"><AttributeValue>

Instead of this particular attribute, however, you note that the following attribute is present for the user:

<Attribute Name=\"http://schemas.microsoft.com/claims/groups.link\"><AttributeValue>

Cause

Based on Microsoft's SAML token claims reference, the groups.link attribute is a Group Overage Indicator indicating that the number of groups associated with the user exceeded a limit of 150.   As a result, this scenario has been documented in SAMLDC-97: JIT does not work with Azure AD SSO for users with more than 150 groups.


Solution

As a possible workaround, consider adding the user ID to an application only group and reconfiguring each user's group claim to application access only (ie. User.Groups[ApplicationGroup]).  Also, ensure that this  group has appropriate global permissions within the Atlassian application.


Last modified on Jan 11, 2022

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.